Malware Analysis Report

2025-01-19 08:08

Sample ID 240605-z9343sag25
Target 994baec2cfe0477cd7ca8a1a1c2c4817_JaffaCakes118
SHA256 4ec28e96b91666c9621996f7a3534c2b8b505b834189468142f1638f96678210
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4ec28e96b91666c9621996f7a3534c2b8b505b834189468142f1638f96678210

Threat Level: Likely malicious

The file 994baec2cfe0477cd7ca8a1a1c2c4817_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks Android system properties for emulator presence.

Checks Qemu related system properties.

Loads dropped Dex/Jar

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 21:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 21:25

Reported

2024-06-05 21:29

Platform

android-x86-arm-20240603-en

Max time kernel

68s

Max time network

177s

Command Line

com.cpt.bwin223120

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.bootmode N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.model N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: qemu.sf.fake_camera N/A N/A
Accessed system property key: ro.kernel.android.qemud N/A N/A
Accessed system property key: ro.kernel.qemu.gles N/A N/A
Accessed system property key: ro.kernel.qemu N/A N/A
Accessed system property key: init.svc.qemud N/A N/A
Accessed system property key: init.svc.qemu-props N/A N/A
Accessed system property key: qemu.hw.mainkeys N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.cpt.bwin223120/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cpt.bwin223120/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.cpt.bwin223120/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cpt.bwin223120/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cpt.bwin223120/.jiagu/tmp.dex N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cpt.bwin223120

chmod 755 /data/data/com.cpt.bwin223120/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.cpt.bwin223120/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.cpt.bwin223120/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

sh -c ps

ps

ps daemonsu

ps | grep su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.app789app9977okok.com udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
US 38.14.33.5:443 www.app789app9977okok.com tcp
US 1.1.1.1:53 www.bcsowowoaakk61788.com udp
US 38.14.33.4:443 www.bcsowowoaakk61788.com tcp
US 1.1.1.1:53 www.bwn78benzcok8878.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp

Files

/data/data/com.cpt.bwin223120/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.cpt.bwin223120/.jiagu/classes.dex

MD5 3299f3988d8167a7abc1ae232df09fb5
SHA1 f17be1aff064aeb00036ead09603641165aa62d4
SHA256 fc1780d4d1c021ee4f6f1481f6aa3855e9134973724ec9c69f5ee823edca0b50
SHA512 1dcddd58abeb3a6cfcf3d90767f6b4815b7595e0d5512314a8cebb6315c128064066619640ae9ef4db4f3c43c2a8f25304036c5201af6e351e8ed2c9031f1178

/data/data/com.cpt.bwin223120/.jiagu/classes.dex

MD5 0de3243d5a032793a3626be5126e6af7
SHA1 0d006e42b6d6e6f9fdc732c4247bf0bb2679949d
SHA256 d7ed8d29c0d97867e41c566f4df4c1bd8a8b8b02d924c9d33bcd33d171a2cbb0
SHA512 d596ebabfdfd9cd82a7b50a9aacde1e7d3af2bd0c22983f074642a18e85d8c5021cfc6f86dd1cdd147580076bd7d205d1060f034115f2143825ae4d3d98436af

/data/data/com.cpt.bwin223120/.jiagu/classes.dex!classes2.dex

MD5 413c3aa20e32042b2f76b870d30cd0e2
SHA1 f5b26a1373231b448bc666d0dafc96523cf0d06a
SHA256 61c44ad8e3a762b9519b3091913e7add8fdef86cdf20d7b753ee9eff14fe9ccd
SHA512 6252ab622a4c11978b6634a1ceba8df12bf9e0f67357d8bd1ca828fbb317a5b108275c2a95cdae9e32028aedafe9cd2c0374079343a872b6a1c9c951fe032bea

/data/data/com.cpt.bwin223120/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ri

MD5 1f8cf19b0587c60a6bea6f1b5a6ebc94
SHA1 585de01e2482b1bbafce7e1c77327efc8d7480eb
SHA256 fed7a7c188eae059173781cf640bf3d2fbb866dc8135366497e98384dd0d0726
SHA512 cdcbb4f103328b18b054c44c5d842962c1b93dc51f83c6dd4de53c103b893ef02bdf96a92496af27f57705532906e04856f83d64f3b93744048ccf11862122c4

/data/data/com.cpt.bwin223120/files/.jiagu.lock

MD5 80a4de623f1b90499c8d3eca89ea93a2
SHA1 24a5287614c4097432f519c0f4c5388717df9a79
SHA256 2fc10e27f33e4f7a6a6333b22ce01b81aefa35591dc05844bc35c5f239b7fe77
SHA512 59499f5bc6bce5c30643c3a0a062c8d07b0f716a84efe5a475fd7ade59b7fc518280f2c1c1ce8c843f8d273ecdfb833042bd061f67266a0cd5adbbdf2233ba47

/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ac

MD5 12654ca15675d7caaf9343811a0de1d8
SHA1 ed368f8b88cbbdd5190e265b3bc0be0acc48c380
SHA256 af25853708c1ba1105b97bc981fb2ff231abfc60419ecbe39a146e892aface15
SHA512 e6db6c849ddad2b35a1316b345493536b6db9618b4c125cd20273771f04c8046bac40c997e2503aaaca9aa82ad3cc86a9ed889f52c10d699fe1ec3c18fbea328

/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ic

MD5 62b32664152bec557e40a652aa2f0e54
SHA1 2d4686bc49b1fd3a5a58a3a604b241d4b070ef34
SHA256 e320eb0a0fb88954aef401706cebc3f4b4a1e6af8f0806aa85d93a4212ba7013
SHA512 b801a6245e75b0b867efd8f83609a18a54450f5a526fccaf3db003ff7a6a3ead1140d802bef1108d15512bd5ba82d9312adaff0385c092f3f06f5971e32402d8

/data/data/com.cpt.bwin223120/files/.jglogs/.jg.di

MD5 62a229e6a640a2765fc53abf3f116db1
SHA1 88add39e843f14d8505bba12133238df76f4b927
SHA256 46eec815543eaec68d633a66b7385b04ac630f63afacd1a24d04286aa5163114
SHA512 8d3f7aadfbf1b026ebc11c14db1b407608feb2fd870952db5679b2813c4619dde6b6d5ec544569c2471fa3fc5ca7894cc788a1ee679d1d10ce86fdad0badacf6

/storage/emulated/0/360/.iddata

MD5 9e0819b75df7399758c847a86717a238
SHA1 bf0916a1ed23c095cc0ba59ad559a3404a879cfd
SHA256 5b0ea1ef9cffdb9f50689762bd02f14fab2ab78bff0525e963d0186c28f9add7
SHA512 898829ac9985de6acc730b6641b61dae7aca1a617e804c38a6ecd19d5681f4837dbd9687d59b2e3df55b3ead5e073dcddf5da473afd76f4980aff328d09ea447

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/storage/emulated/0/Android/data/com.cpt.bwin223120/files/tbslog/tbslog.txt

MD5 afedcb4c69f9f13263b03d6413a680a0
SHA1 f0e1fbdcacb9b1189fea667e48d2c32f78c5d361
SHA256 e0908c46970f671caaf0dcf1e2350d6b074ed0cbd55491e58bae950969f2be8a
SHA512 6ed97a5c08766c3a430e06453b0296ef635b2e5530bb9fb05b98e5deb0317449baa82569d0b7b142a0bd9677864707e15c4f1aada21ef861ca1529ef54777ca5

/data/data/com.cpt.bwin223120/files/jpush_stat_cache.json

MD5 602fb4b788a4ea4a7795c79aa6ddf1d3
SHA1 de831f21ae6937106d5c66bbd2c31c66c6c06b34
SHA256 0d3b47699bbf5c2ae60c351ec3a04dcd6c806fb1cca3e378afe7cbd3c6dc3e44
SHA512 0aec157e6ba4284145e1294a5ab40b373bfd767bcb5944796c4ae90d3f1de92953580028875581bace140457b652286af68bfa227bd41d5ce47d8389ab70e8ff

/data/data/com.cpt.bwin223120/files/.jglogs/.jg.di

MD5 cc3c69488a39702b14e6d9f887755a16
SHA1 80bbd667766cadcb5db39c27e45f3660ef54493b
SHA256 2e05d8b34ca1dc42a437416f30a16b4c0e9c622df9c64ecc21dbd279497ee929
SHA512 644b8ffdb32167b8b461f6b49c554511e3a0bcf73b134633f1dd064d9bfaa06505d875c3dfecf2d76808626db0c79e5e1a8f91b17457b3361dc5ce5b4e5b33dc

/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ac

MD5 df95c382faa983b81ea26bf92db760d0
SHA1 4cff7140bedc83f97c68701042812f292031497f
SHA256 11d837346f49c959241c60f9d53891c2912b6642b1c9104328f8b1280dc20dd4
SHA512 315fa5dbcbcd2b952b10ae662b6cc4cb9f1a3b6c7a7de00e71b180e43d005f3c3ae8b888e8343413f9b65ea818116906e60b243b7ddbacb5485f38a522841335

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 21:25

Reported

2024-06-05 21:29

Platform

android-x64-arm64-20240603-en

Max time kernel

5s

Max time network

140s

Command Line

com.cpt.bwin223120

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cpt.bwin223120/[email protected] N/A N/A
N/A /data/user/0/com.cpt.bwin223120/[email protected]!classes2.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.cpt.bwin223120

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.cpt.bwin223120/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/user/0/com.cpt.bwin223120/.jiagu/classes.dex

MD5 3299f3988d8167a7abc1ae232df09fb5
SHA1 f17be1aff064aeb00036ead09603641165aa62d4
SHA256 fc1780d4d1c021ee4f6f1481f6aa3855e9134973724ec9c69f5ee823edca0b50
SHA512 1dcddd58abeb3a6cfcf3d90767f6b4815b7595e0d5512314a8cebb6315c128064066619640ae9ef4db4f3c43c2a8f25304036c5201af6e351e8ed2c9031f1178

/data/user/0/com.cpt.bwin223120/[email protected]

MD5 0de3243d5a032793a3626be5126e6af7
SHA1 0d006e42b6d6e6f9fdc732c4247bf0bb2679949d
SHA256 d7ed8d29c0d97867e41c566f4df4c1bd8a8b8b02d924c9d33bcd33d171a2cbb0
SHA512 d596ebabfdfd9cd82a7b50a9aacde1e7d3af2bd0c22983f074642a18e85d8c5021cfc6f86dd1cdd147580076bd7d205d1060f034115f2143825ae4d3d98436af

/data/user/0/com.cpt.bwin223120/[email protected]!classes2.dex

MD5 413c3aa20e32042b2f76b870d30cd0e2
SHA1 f5b26a1373231b448bc666d0dafc96523cf0d06a
SHA256 61c44ad8e3a762b9519b3091913e7add8fdef86cdf20d7b753ee9eff14fe9ccd
SHA512 6252ab622a4c11978b6634a1ceba8df12bf9e0f67357d8bd1ca828fbb317a5b108275c2a95cdae9e32028aedafe9cd2c0374079343a872b6a1c9c951fe032bea

/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ri

MD5 64fa856987d101c4339e55facd15edde
SHA1 43447a1b9b4c98aa4ae547f768484499f303146b
SHA256 b926783cce5de01db72bb88d216b66f6862720e6894fc417640e8224e18858c6
SHA512 012779d9660b630f7afdf20a4876a6f56dc68c4b706327d51469396b9b4a09e9cc95e0a417ef63ee18a1bc04edd6da34e3a557b3756c5068869dbec99d8dcf94

/data/data/com.cpt.bwin223120/files/.jiagu.lock

MD5 eea79e3a6f97d4b939b5b483fb5b13e5
SHA1 22498964a1f10d96f6044038290afd6243e69f50
SHA256 65c89010acea5f116926b68c7eb70070faf7ee2aaf0bc0acd56a5eb930548554
SHA512 c9117c51a67a61abccc8c7abf5f10908c072696c1e3cfdf1c368347582e60db0f597e47dcacf30d4052fcc4ffa80a83d25b1221888eaec9f401f6410e424d019

/data/data/com.cpt.bwin223120/files/.jglogs/.jg.di

MD5 884be466f78ab2b4e0bd1e3fba08d1b0
SHA1 88d63c9441cbc0fdbb93a102ae461dd65cfcd3c8
SHA256 8d88445f3ae13f696cc82134c52c84641bc9e28d02e704b71b8de3ab3deb11b8
SHA512 bd199a6ee5212a886669a6fb4ac862654f7f934c00ae7812f7435d1c99141e8c383412e992a294c890381d7feda2c492452ff9ad4db613d615e73c0dfb5e70d7

/storage/emulated/0/360/.iddata

MD5 46d3711aafaa31e61af51ef3ca2c9864
SHA1 0b2c95ca3052525d0a43ac1309c58a2933638115
SHA256 7bc88ac63475321d17722cbb2e02c264a736b4274ce40794bd7163dcb49107d4
SHA512 8c938fce120c9cfeda3b81b624ea57f9a984ad88411a29d4d4d1c271eb3cfaa4bef39f8a31cf2c6dd26be51d4625da51d6ce5957473c06ca601c58e4057a6c5e

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399